Monday, 18 March 2013

Skype Malware Analysis

When i came back from work today and fired up Skype, multiple messages popped up immediately. Some of them in in English and some in Polish, but all leading to the same url with "pictures" of me ; oo. Another interesting fact was that all the messages came from people working at the same company (zomg APT alert ;D).

The messages looked like this:

Messages in English and Polish encouraging to visit the links

We check what is behind the url shortener:

zip file !

Crunchpress seems to be a 'hacked' website:

crunchpress image folder with some aditional content

Lets download and unzip it:

Oh noez! no pics just exe : (

Quick scan @ virustotal.com gives 7/44 and identifies the file as a dropper:

virustotal results

Not surprisingly it downloads something using HTTP protocol:

Actual bad stuff downloaded here

Let's see what we have there. First some quick geo localization request:

hi ho

Next a list of 'unwanted' domain names is downloaded (full list available here).

Risold.de where the file n.txt is hosted looks like another pwned web server.

Now we have three PE files downloaded from different locations:

file number 2

The detection ratio is higher (14/45), and the file is recognized as generic trojan:

fbp.exe virustotal ratio

Both files seem to be developed on the same machine by the same Visual C++ user, as they contain the following string:

C:\Users\Samim\Desktop\Stab\stb\Release\stb.pdb

The site hosting the fbp.exe is some Indian company.

site hosting malware

Ok, now the third file. This one is different, hosted on hotfile.com

http://hotfile.com/dl/198796835/3487ec8/f.exe.html

It is only detected by Kaspersky as a "UDS:DangerousObject.Multi.Generic".

In the packet capture i was also able to observe some IRC alike communication on port 1863.

IRC ?

xixbh.net domain resolves to this IP (China ;D). That explains the strange characters. So this is probably the C&C IRC managed botnet. I will stop here : ).

This was just a quick analysis, and it is a bit chaotic (sorry for that). If i will find some free time, a follow up with the executables analysis will show up here.